Jump to content


Photo

about:blank hijack from coolwebsearch


  • Please log in to reply
35 replies to this topic

#1 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 June 2004 - 10:10 PM

Like many others here, our IE start page has been hijacked to about:blank. Yesterday we ran Adaware, Coolwebshredder, and Hijackthis, and it "fixed" the problem. But, today, about:blank is back.

Here is our Hijackthis file:

Logfile of HijackThis v1.97.7
Scan saved at 10:42:14 PM, on 6/24/2004
[Outdated log removed]

Edited by WinHelp2002, 13 November 2004 - 05:37 AM.


#2 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 23 October 2004 - 12:58 PM

I have been trying to remove my home page hijacks for 7 months now, with varying degrees of success. I can restore my home page by finding and deleting the 31 kb dll file that gets created during the hijack, running hijackthis, and clicking the R1 and R0 entries, as well as one O2 entry. But, I cannot find the file that CREATES the dll file. Therefore, the hijack returns every 1-2 days.

I posted in June, but did not get a reply :( . I know you're all real busy, though, and I appreciate whatever help you can give me.

I read Mike's FAQ post, and the hijacked article, ran updated versions of adaware and spybot. I am "clean" right now, but I am always clean after running those programs, and I get un-clean shortly thereafter.

Here is my current hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 1:06:56 PM, on 10/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM5.5.3415\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.d...mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.y...nbast8262_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports....lgcst1008_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.y...nhlst8242_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083975488281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8CAE1D5-C336-4687-ABE8-8BBF7BB1C82D}: NameServer = 216.187.0.20 216.187.0.21



I am on dialup, but want to switch to hi-speed. I'm afraid to while I have a "visitor" in my computer, though.

Please help!

Thanks,

bevnjeff

#3 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 25 October 2004 - 07:19 PM

Can someone please help us with this hijack. We've had it since March, and are annoying close to getting rid of it (we think!).

Appreciated,

bevnjeff

#4 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 27 October 2004 - 02:47 AM

Help! Please, someone help us with hijacked help page!

#5 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 27 October 2004 - 03:49 AM

Greetings bevnjeff
So sorry you have been made to wait so long.

I am looking the log over and will get back to you soon.

Thank you so much for your patience.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#6 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 28 October 2004 - 03:43 AM

Please download the new version of CWShredder
Save it to your desktop.
Do not run it yet.

Please download FxAgentB
Follow Symantec's instructions for running it.
Do save the log file. I will want to see it.

- Reboot

Please run CWShredder. Be sure to click Fix as opposed to Scan Only.

- Reboot

Please post a new HijackThis log and the log that FxAgentB gave you.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#7 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 29 October 2004 - 01:30 AM

Thank you for your advice. Oh, and YAY SOX!!!

I did everything you asked, in the order you asked.

When I ran FxAgentB, it said I was not infected.

Log is:

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2


Backdoor.Agent.B has not been found on your computer.

Here is my hijackthis file:

Logfile of HijackThis v1.97.7
Scan saved at 2:23:44 AM, on 10/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM5.5.3415\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.d...mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.y...nbast8262_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports....lgcst1008_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.y...nhlst8242_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083975488281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8CAE1D5-C336-4687-ABE8-8BBF7BB1C82D}: NameServer = 216.187.0.20 216.187.0.21

Thanks again for your help!

--bevnjeff

#8 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 29 October 2004 - 11:01 AM

You are most welcome bevnjeff.

I see nothing in your log to indicate any problems. You never mentioned in your reply if you are still being hijacked or if their are any other issues. If all seems well now, please let me know. If not;

Please download DLLCompare HERE

Launch the program and place a check mark in the include subdirectories.

Click the Compare button and wait until it completes.

To reduce the number of files found and remove them from the list, please click on each of the files in the lower section to select them, then right-click on the file and select the option "Rescan".

With what file(s) remain, please select Make a Log of what was found button, and please post the log here in this thread.

Please download Registrar Lite HERE
Launch it and copy/paste the line below into it's address field and press enter.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

In the right hand section the name AppInit_DLLs will be highlighted. Please double-click on the AppInit_DLLs entry then copy/paste the text found in the value field in this thread along with your DLLCompare log.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#9 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 31 October 2004 - 10:29 AM

Happy Hallowe'en! And, a great parade in Beantown yesterday!

Good to see the site up and running again.

Although my log is clean, I still get hijacked. When I do, a random dll file of 31kb gets placed into my system32 folder, and 9 registry items are created or changed. To "fix" the problem, I delete the dll file (I have to go to administrator account to do so), and I run hijack this to delete the R0, R1 entries, and to delete the one O2 entry that has the bad dll. This fixes my problem for a day or two, but it always returns. As a matter of fact, it's here now. The bad dll is lekifk.dll, and was created at 1:18 this morning.

I ran DLLCompare, and Registrar Lite, and am posting their results. I am also posting the hijackthis file, so you can see the 10 bad entries.

******************DLLCompare *************************

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\winceh.dll Thu Feb 26 2004 5:05:06p A.... 21,504 21.00 K
________________________________________________

1,864 items found: 1,864 files, 0 directories.
Total of file sizes: 455,516,888 bytes 434.41 M

Administrator Account = True

--------------------End log---------------------


***************Registrar LIte ***************

c:\windows\system32\winceh.dll


***********Hijackthis file****************
Logfile of HijackThis v1.97.7
Scan saved at 10:24:08 AM, on 10/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM5.5.3415\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CWS\DllCompare.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Registrar Lite\rl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B868C7C2-AABC-4A2B-9E43-8546FF422FF8} - C:\WINDOWS\system32\lekifk.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.d...mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.y...nbast8262_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports....lgcst1008_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.y...nhlst8242_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083975488281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8CAE1D5-C336-4687-ABE8-8BBF7BB1C82D}: NameServer = 216.187.0.20 216.187.0.21

******************
Like I said, I put a check mark next to the R0, R1, and the third O2.

Thanks again for your help so far!

--bevnjeff

#10 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 31 October 2004 - 11:19 AM

Thank you bevnjeff for the logs, detailed information and your patience. The logs do indicate that your PC is infected with a very nasty variant of CWS.

I wll review all and get back to as soon as possible with a proposed fix.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#11 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 02 November 2004 - 09:35 AM

Sorry for my delay bevnjeff. I was out of town on business.

Please take your time in following the steps below. It is not as intimidating as it first appears.


Launch Windows Explorer, and navigate to C:\ and then create a new folder called "Hijack" and within that folder, create two new folders, one called 'Backups' and one called 'Junk'.

Please launch Registrar Lite then copy and paste this line in Reglite's address bar.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Select the "go" tab. Find the "Appinit_Dlls" key in the right hand pane and double click to find the "Value" data. Confirm that c:\windows\system32\winceh.dll still shows in the 'Value' field.

Now copy and paste the key below into reglite's address bar and click 'Go'.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

Click on the Windows key to highlight it in blue and use the top menu File>Export and save both these files in the C:\Hijack\Backups folder.

Winkey.reg (Save as type: regedit4 .reg type)
Winkey.hiv (Save as type: Scroll to select-regedt32/WinAPI *hiv *dat files)

Navigate to C:\Hijack\Backups to confirm both files have been successfully saved.

Using the Registrar Lite program again, copy and paste the key below into reglite's address bar and hit 'Go'.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Right-click on the Windows key in the left pane and rename it to "Notwindows". Then double-click "Appinit_Dlls" value in right pane and erase the data in the 'Value' box at the bottom of the new pane. The data to remove will be "winceh.dll".

hit 'Apply' and 'Ok' to set.

Now rename 'NotWindows' back to 'Windows' in the pane on the left.

Exit Registrar Lite and reboot your computer. If this fix worked, winceh.dll should not load on startup and should be visable in the folder C:\WINDOWS\System32.

Please download Winfile.zip.

Launch it and click File > Move

Copy and paste this into the 'From' box

C:\WINDOWS\system32\winceh.dll

Copy and paste this into the'To' box:
C:\Hijack\Junk\winceh.dll

Click OK. Exit Winfile and please look in C:\Hijack\Junk for the file "winceh.dll" Please let me know what you find in that folder.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#12 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 03 November 2004 - 02:10 AM

Bad news (well, for me, anyway). The winceh.dll file is not visible in the system32 file upon rebooting. It keeps re-showing up in the same place (in reglite) as it was before I followed your instructions. Interestingly, I went into regedit, just for a peek. When I click on AppInit_DLLs, under 'value data', it is blank.
Also, I tried to download the winfile.zip, but I was unable to do so -- I got this note:

HTTP1.1 STATUS 403 Remote Access to this object forbidden This file cannot be directly accessed from a remote site, but must be linked through the Brinkster Member's site.

Arrggghhhh! Now what? Help!

--bevnjeff

#13 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 03 November 2004 - 09:29 AM

CoolWebSearch and all it's many variants are one of the most cunning infections out there. The tools we have used so far have been successful in many of the infections exactly like yours. Don't be discouraged. Our arsenal is not empy by any means. We haven't lost one yet!

I think we are at a point now where I need to call in one of our experts to take a look at this. You will be contacted soon.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#14 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 November 2004 - 11:16 AM

Indrid_Cold has asked me to lend a hand ...

I would like to ascertain where we currently stand so can you please perform the following:

To anyone other than the originator of this topic: do not use this thread to try to fix your system or anyone elses by copying it - this is not an automatic fix and requires the logs to be properly interpreted.

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

#15 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 04 November 2004 - 11:51 PM

Thanks for offering to help us out, Phamtom.

I could not do what you asked. I downloaded findnfix.exe, but when I ran !Log! it went through a few dll's (maybe 10-15), and then "hung" on winbrand.dll. I noticed that in a file called list.txt, winbrand is the file directly before winceh.dll, and winceh.dll says "read error!".

--bevnjeff

#16 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 12 November 2004 - 12:20 AM

Indrid? Phantom? I haven't heard from anyone in a while.

Help!

--bevnjeff

#17 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 12 November 2004 - 05:11 AM

Despair not fellow citizens of Red Sox Nation:)

The email notification will sometimes fail to alert that a post has been answered. I am in touch with PGPhantom to let him know you have responded. I suspect you will be hearing from him soon.
IC -
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#18 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 12 November 2004 - 10:54 PM

Can you please boot into safe mode - How do I boot into "Safe" mode? and run it from there - Let me know what it comes up with?

#19 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 13 November 2004 - 12:55 AM

HI -- We got the same (non?) result in safe mode. No file called log.txt was created. Several files in tmplogs were created : dlltxx, file, info, list, test, and typesys. Also, in a folder called keys1, a file called winkey was created.

When I ran !log!, after several minutes, it started cycling through dll files. It stalled at winbrand.dll, which is the dll file alphabetically preceding winceh.dll. Winceh.dll seems to be a problem file. There is a "read error" in the list file.

Contents of files:

winkey---------------------------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

file--------------------------------------------

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

______________________________________________________________________________
***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
______________________________________________________________________________

......Scanning for file(s)...
*Note! The list(s) may include legitimate files!
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........
»»Read access error(s)...

C:\WINDOWS\SYSTEM32\WINCEH.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINCEH.DLL +++ File read error

»»»»» (*2*) »»»»»........
WINCEH.DLL Read Error!

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(*5*)»»»»»



Help!

--bevnjeff

#20 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 17 November 2004 - 01:06 AM

Indrid? Phantom?

Help!

--bevnjeff

#21 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 18 November 2004 - 12:47 AM

Sorry for the delay bevnjeff.

As one of the board's experts PGPhantom tends to be very busy and apparently email notification is still not informing him of your replies.

I will let him know you have replied and I would expect you will hear from him soon.

Thank you very much for your continued patience and understanding.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#22 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 November 2004 - 06:40 PM

Indrid, Phantom -- I hate to be a pest, especially since you are volunteers trying to help people, but I'm feeling abandonded here. I haven't heard anything in over a week.

Help!

Thanks
--bevnjeff

#23 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 21 November 2004 - 09:24 AM

You are not being a pest and I can assure you that you have not been abandonded. I have and will continue to monitor this thread until we have resolved your hijack.

PGPhantom, as with all of our volunteers, devotes as much of his free time as he can to the cause. Not seeing him here for the last few days would lead me to believe that other matters are preventing him from doing so.

In hopes of keeping some kind of continuity to this thread, I have been reluctant to contact another one of our CWS experts to intervene. Now, with not knowing PGPhantom's situation nor when he might have the time to return, I shall do so.

I, being a victim of more then one hijack, know how frustrated you feel and nothing would please me more then to see your issues resolved. Please keep the faith while I seek other avenues in resolving your problems.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#24 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 22 November 2004 - 11:51 PM

Some new information has come to light on the specific variant of your infection. I am currently writing up another fix and will be back with you soon.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#25 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 23 November 2004 - 01:05 AM

Please navigate to the folder we had previously created c:\hijack. Double-click on the winkey.reg file that we had created earlier. When it prompts, if you would like to import/merge the data, click the Yes button.

Launch Registrar Lite

Enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows into the address field and press enter. On the left side of the screen the Windows key should be selected and highlighted in purple/blue.

While the Windows key is selected (highlighted purple/blue) in the left window, click on File and then Import.

Browse to c:\hijack again and select the winkey.hiv file that we created earlier and click the Open button. Then click the OK button.

Exit Registrar Lite

Reboot

Launch DLLCompare and run per my previous instructions. Please make a log and then post it here.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#26 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 23 November 2004 - 01:53 AM

OK --here is the dllcompare logfile.


* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\winceh.dll Thu Feb 26 2004 5:05:06p A.... 21,504 21.00 K
________________________________________________

1,425 items found: 1,425 files, 0 directories.
Total of file sizes: 284,082,050 bytes 270.92 M

Administrator Account = True

--------------------End log---------------------


Looks like my trouble spot is the winceh.dll file. Yes? But, how to remove it?


Regards,

--bevnjeff

#27 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 23 November 2004 - 02:37 AM

That is the hostile file. Never been any doubt about that. The rub has been in removing it.

Before moving on and trying this other fix, I wanted to make sure that the file name had not changed.

I want to be clear where we are now at:
You have followed my last instructions to the letter and had no difficulties in restoring both of those reg files that were backed up. You rebooted, ran DLLCompare and we found that the hostile file is still there and under the same name.

If this is not correct, please let me know.

We had to backup a few steps before taking on the next fix and it is important that I know that both of those backup files have been restored with no problems.

A try at a new fix will follow soon.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#28 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 23 November 2004 - 04:23 PM

Ok first download pocket killbox from here:

http://download.broadbandmedic.com/

run it.

paste this onto the white line.


C:\WINDOWS\SYSTEM32\winceh.dll

turn on the delete on reboot button.

hit the red x.
it will confirm the delete on reboot. hit yes.


when instructed to reboot do so.

after rebooted run cwshredder 1 more time.

RUn a new dllcompare log and hijackthis log.
post it here



#29 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 November 2004 - 01:46 AM

Wow! Can it be? Am I clean? Killbox killed my bad file (I think).

Here's my logs:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,424 items found: 1,424 files, 0 directories.
Total of file sizes: 284,060,546 bytes 270.90 M

Administrator Account = True

AppInit_DLLs value = c:\windows\system32\winceh.dll (not hidden)
--------------------End log---------------------

************************************************************

Logfile of HijackThis v1.97.7
Scan saved at 1:38:08 AM, on 11/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM5.5.3415\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DLLCOMPARE\DllCompare.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.d...mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.y...nbast8262_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports....lgcst1008_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.y...nhlst8242_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083975488281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab


Anxiously awaiting your verdict re my computer -- preparing to be eternally grateful!

--bevnjeff

#30 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 24 November 2004 - 03:33 AM

Many thanks shadowwar for your expertise and assistance.

I want to say that things are looking good, but I will defer and wait for shadowwar's read on things. Once we get the okay, I will be back to offer advice on some things you can do to protect yourself against future infection.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#31 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 24 November 2004 - 09:16 AM

ok can you update your hijackthis to 198.2

After you scan with that there should be an 020 value for appinit.

check and fix that one.

Than post the new log with 198.2



#32 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 November 2004 - 05:06 PM

Okay, I did what you requested. I updated hijackthis, ran it, and cleared out the O20 line (it had a winceh.dll reference).


Here's my new log:


Logfile of HijackThis v1.98.2
Scan saved at 5:03:10 PM, on 11/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM5.5.3415\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\DOCUME~1\family\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM5.5.3415\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.d...mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.y...nbast8262_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports....lgcst1008_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.y...nhlst8242_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8CAE1D5-C336-4687-ABE8-8BBF7BB1C82D}: NameServer = 216.187.0.20 216.187.0.21


THanks for your help!

--bevnjeff

#33 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 November 2004 - 08:18 AM

Looks good to me.



#34 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 25 November 2004 - 01:04 PM

Excellent news bevnjeff. Well done!

You need to move that latest copy of HijackThis from that temp folder or risk losing it. Why not move to C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe.

After moveing HJT;

- Click Start
- Run
- Type "cleanmgr"

Select the following:
1) Temporary Internet Files
2) Recycle Bin
3) Temporary Files

Some parting advice:

You are not running a firewall. This is your first line of defense against attacks. I would strongly suggest you install one immediately.
I recommend this free version of ZoneAlarm from Zone Labs.

To reduce the potential for spyware infection in the future, I strongly recommend installing the following free products;

SpywareBlaster:
It will prevent spyware from being installed and consumes no system resources.
SpywareBlaster

SpyWareGuard:
It offers realtime protection from spyware installation attempts.
SpywareGuard

IE/Spyad:
It places over 4000 websites and domains in your IE's restricted zone.
IE-SPYAD

I would also strongly recommend that you read this thread written by Tony Klein.
So how did I get infected in the first place

Stay safe out there bevnjeff!
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#35 bevnjeff

bevnjeff

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 26 November 2004 - 10:06 AM

Indrid -- thank you for those suggestions. I will install a firewall, as well as moving hijackthis away from the temporary location. I wil also download the protection programs you suggested.

But -- more importantly -- a HUGE THANK YOU to you, to Phantom, and to Shadowwar for your help!! I think I am spywarefree, for the first time since March. I'll still be holding my breath each day for a while, but it sure seems like everything you walked me through, worked!

I definitely will be making a donation to the cause, as soon as I let that breath out, as you're all worth it!

Once again, MANY MANY THANKS!!

--bevnjeff

#36 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 26 November 2004 - 10:26 AM

You are most welcome bevnjeff and thank you for your kind offer of a donation. Donations insure that forums like this will always be around to thwart the continuing efforts of those purveyors of scumware.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button